Cisco ASA - Compatibility with XDR mapping #24168 (#23779)

* update cisco asa parsing rules and modeling rules

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate cisco asa modeling rule with new xdm field

* udpate modeling rules

* udpate modeling rules

* Updated parsing rules

* save tese data file changes

* update modelinng rules

* update modeling rules

* update modeling rules

---------

Co-authored-by: Yehonatan Asta <[email protected]>
Co-authored-by: Darya Koval <[email protected]>

Author: 3 people

Packs/CiscoASA/ModelingRules/CiscoASA_1_3/CiscoASA_1_3.xif

@@ -1,18 +1,14 @@
 [MODEL: dataset=cisco_asa_raw]
 alter
-    event_id = to_integer(arrayindex(regextract(_raw_log, "ASA\-\d\-(\d+)\:"),0)),
-    priority = arrayindex(regextract(_raw_log, "\<(\d+)\>"),0),
-    severity = arrayindex(regextract(_raw_log, "\%ASA\-(\d)\-\d+\:\s"),0),
-    message = arrayindex(regextract(_raw_log, "\%ASA\-\d\-\d+\:\s(.*)"),0),
-//direction = arrayindex(regextract(_raw_log,"Built\s+([A-Za-z]+)\s+[A-Z]+\s+connection"),0),// the field not exits on data model network
-    duration = arrayindex(regextract(_raw_log,"duration\s*(\d+\:\d+\:\d+)\s*"),0), // not have function in xql to change it to milliseconds
-    bytes = arrayindex(regextract(_raw_log,"bytes\s*(\d+)\s+"),0),
-    threat_level = arrayindex(regextract(_raw_log,"threat-level\:\s*([^\,]+)\,"),0)
+    event_id = to_integer(arrayindex(regextract(_raw_log, "ASA\-[session]*\-*\d\-(\d+)\:"),0)),
+    severity = arrayindex(regextract(_raw_log, "ASA\-[session]*\-*(\d+)\-\d+\:"),0),
+    message = arrayindex(regextract(_raw_log, "\%ASA\-\d\-\d+[\:|\s\-]+\s(.*)"),0)
 // Action
 | alter action1 = arrayindex(regextract(_raw_log ,"\d+\-\d+\:\s([a-zA-Z]+[\s|\-][a-zA-Z]{2,}\s+[a-zA-Z\s]{3,})"),0),
     action2 = arrayindex(regextract(_raw_log ,"([a-zA-Z]{3,}\s[a-zA-Z]{3,}\s[a-zA-Z\s]{3,})\.*$"),0),
-    action3 = arrayindex(regextract(_raw_log ,"\d+\-\d+\:\s\[([A-Za-z\s]+)\]"),0)
-| alter action = coalesce(action1 ,action2, action3)
+    action3 = arrayindex(regextract(_raw_log ,"\d+\-\d+\:\s\[([A-Za-z\s]+)\]"),0),
+    action4 = arrayindex(regextract(_raw_log ,"\d+\-\d+[\s\-]+([A-Za-z\s]+)"),0)
+| alter action = coalesce(action1 ,action2, action3, action4)
 // host ip
 | alter host_ip1 = arrayindex(regextract(_raw_log ,"\s*IP\s\<(\d+\.\d+\.\d+\.\d+)\>[\s|\,]"),0),
     host_ip2 = arrayindex(regextract(_raw_log ,"\s*[IP|server]\s*\=\s*(\d+\.\d+\.\d+\.\d+)\s*"),0),
@@ -36,6 +32,29 @@ alter
     protocol2 = arrayindex(regextract(_raw_log,"\:\s*[A-Za-z]*\s+[A-Z]*[a-z]+\s+([A-Z]+)\s+connection"),0),
     protocol3 = uppercase(arrayindex(regextract(_raw_log ,"\sprotocol\=([a-zA-Z]+)"),0))
 | alter protocol = coalesce(protocol1, protocol2, protocol3 )
+// duration
+| alter duration_string = arrayindex(regextract(_raw_log ,"[D|d]uration\:*\s+([a-z0-9\:]+)[\s|\,]"),0)
+| alter duration_split = split(duration_string ,":")
+// duration parts
+| alter duration_part_0 = arrayindex(duration_split,0),
+    duration_part_1 = arrayindex(duration_split,1),
+    duration_part_2 = arrayindex(duration_split,2)
+| alter duration_part_0_millis = if(duration_part_0 contains "h", multiply( to_number(arrayindex(regextract(duration_part_0 ,"\d+"),0)),3600000),duration_part_0 contains "m", multiply( to_number(arrayindex(regextract(duration_part_0 ,"\d+"),0)),60000) ,duration_part_0 contains "s", multiply( to_number(arrayindex(regextract(duration_part_0 ,"\d+"),0)),1000),duration_part_0 ~= "\d+" and duration_part_0 != "0", multiply(to_number(duration_part_0),3600000) ,0),
+    duration_part_1_millis = if(duration_part_1 contains "h", multiply( to_number(arrayindex(regextract(duration_part_1 ,"\d+"),0)),3600000),duration_part_1 contains "m", multiply( to_number(arrayindex(regextract(duration_part_1 ,"\d+"),0)),60000) ,duration_part_1 contains "s", multiply( to_number(arrayindex(regextract(duration_part_1 ,"\d+"),0)),1000) ,duration_part_1 ~= "\d+" and duration_part_1 != "0", multiply(to_number(duration_part_1),60000),0),
+    duration_part_2_millis = if(duration_part_2 contains "h", multiply( to_number(arrayindex(regextract(duration_part_2 ,"\d+"),0)),3600000),duration_part_2 contains "m", multiply( to_number(arrayindex(regextract(duration_part_2 ,"\d+"),0)),60000) ,duration_part_2 contains "s", multiply( to_number(arrayindex(regextract(duration_part_2 ,"\d+"),0)),1000) ,duration_part_2 ~= "\d+" and duration_part_2 != "0", multiply(to_number(duration_part_2),1000),0)
+| alter duration = add(add(duration_part_0_millis , duration_part_1_millis ),duration_part_2_millis)
+// hostname
+| alter hostname1 = arrayindex(regextract(_raw_log ,"\d{2}\:\d{2}\:\d{2}\s*[-|+]*[\d\:]*\s*([A-Za-z0-9\-]{3,})\s"),0),
+    hostname2 = arrayindex(regextract(_raw_log ,"\d{2}\:\d{2}\:\d{2}Z*\s(\d+\.\d+\.\d+\.\d+)\s"),0),
+    hostname3 = arrayindex(regextract(_raw_log ,"\<\d+\>\s+(\d+\.\d+\.\d+\.\d+)\s"),0)
+| alter hostname = coalesce(hostname1, hostname2 , hostname3)
+// send bytes
+| alter bytes1 = arrayindex(regextract(_raw_log ,"\d{2}\:\d{2}\sbytes\s(\d+)"),0),
+    bytes2 = arrayindex(regextract(_raw_log ,"Bytes\sxmt\:\s([0-9]+)\,"),0),
+    bytes3  = arrayindex(regextract(_raw_log ,"packet\s([0-9]+)\sbytes"),0),
+    bytes4  = arrayindex(regextract(_raw_log ,"size\s\=\s([0-9]+)\sbytes"),0),
+    bytes5 = arrayindex(regextract(_raw_log ,"\,\sBytes\:\s([0-9]+)"),0)
+| alter sent_bytes = to_integer(coalesce(bytes1 , bytes2 , bytes3 , bytes4,bytes5 ))
 // ------------------------------ create source/dest ip/port/interface part ---------------------------------
 //option 1
 // <source_ip>/<source_port> to <dest_ip>/<dest_port>
@@ -49,24 +68,26 @@ alter
 | alter
     source_ip2 = arrayindex(regextract(_raw_log,"\w+\s*[a-zA-Z0-9-_]+\:\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/*\d*\s*to\s*"),0),
     source_port2 = arrayindex(regextract(_raw_log,"\w+\s*[a-zA-Z0-9-_]+\:\s*\d+\.\d+\.\d+\.\d+\/(\d+)\s*to\s*"),0),
-    dest_ip2 = arrayindex(regextract(_raw_log,"\s*to\s*[a-zA-Z0-9-_]+\:(\d+\.\d+\.\d+\.\d+)\/*[a-zA-Z0-9]+"),0), // same on option 2,3,4
-    dest_port2 = arrayindex(regextract(_raw_log,"\s*to\s*[a-zA-Z0-9-_]+\:\d+\.\d+\.\d+\.\d+\/+([a-zA-Z0-9]+)"),0),// same on option 2,3,4
+    dest_ip2 = arrayindex(regextract(_raw_log,"[^\)]\sto\s*[a-zA-Z0-9-_]+\:(\d+\.\d+\.\d+\.\d+)\/*[a-zA-Z0-9]+"),0), // same on option 2,3,4
+    dest_port2 = arrayindex(regextract(_raw_log,"[^\)]\sto\s*[a-zA-Z0-9-_]+\:\d+\.\d+\.\d+\.\d+\/+([a-zA-Z0-9]+)"),0),// same on option 2,3,4
     source_interface2 = arrayindex(regextract(_raw_log,"([a-zA-Z0-9-_]+)\:\s*\d+\.\d+\.\d+\.\d+\/\d+\s*to"),0),
-    dest_interface2 = arrayindex(regextract(_raw_log,"\s*to\s*([a-zA-Z0-9-_]+)\:\d+\.\d+\.\d+\.\d+\/+[a-zA-Z0-9]+"),0)// same on option 2,3,4
+    dest_interface2 = arrayindex(regextract(_raw_log,"\d+\s*to\s*([a-zA-Z0-9-_]+)\:\d+\.\d+\.\d+\.\d+\/+[a-zA-Z0-9]+"),0)// same on option 2,3,4
 //option 3
 // for <interface>:<source_ip>/<source_port> (<mapped_ip>/<mapped_port>) to <dest_ip>/<dest_port>
 // dest_ip, dest_port, dest_interface on option 3 is the same as option 2,4,5
 | alter
-    source_ip3 = arrayindex(regextract(_raw_log,"[a-zA-Z0-9-_]+\:\s*(\d+\.\d+\.\d+\.\d+)\/\d+\s*\([^\)]+\)\s*\(*[^\)]*\)*\s*to"),0),
-    source_port3 = arrayindex(regextract(_raw_log,"[a-zA-Z0-9-_]+\:\s*\d+\.\d+\.\d+\.\d+\/(\d+)\s*\([^\)]+\)\s*\s*\(*[^\)]*\)*\s*to"),0),
-    source_interface3 = arrayindex(regextract(_raw_log,"([a-zA-Z0-9-_]+)\:\s*\d+\.\d+\.\d+\.\d+\/\d+\s*\([^\)]+\)\s*\(*[^\)]*\)*\s*toto"),0),
-    source_mapped_ip = arrayindex(regextract(_raw_log,"\d+\.\d+\.\d+\.\d+\/\d+\s*\((\d+\.\d+\.\d+\.\d+)\/\d+\)\s*to"),0),
-    source_mapped_port = arrayindex(regextract(_raw_log,"\d+\.\d+\.\d+\.\d+\/\d+\s*\(\d+\.\d+\.\d+\.\d+\/(\d+)\)\s*to"),0),
-    dest_ip3 = arrayindex(regextract(_raw_log,"to\s*[a-zA-Z0-9-_]+\:(\d+\.\d+\.\d+\.\d+)\/\d+\s*"),0),
-    dest_port3 = arrayindex(regextract(_raw_log,"to\s*[a-zA-Z0-9-_]+\:\d+\.\d+\.\d+\.\d+\/(\d+)\s*"),0),
-    dest_interface3 = arrayindex(regextract(_raw_log,"to\s*([a-zA-Z0-9-_]+)\:\d+\.\d+\.\d+\.\d+\/\d+\s*"),0),
-    dest_mapped_ip = arrayindex(regextract(_raw_log,"to\s*[a-zA-Z0-9-_]+\:\d+\.\d+\.\d+\.\d+\/\d+\s*\((\d+\.\d+\.\d+\.\d+)\/"),0),
-    dest_mapped_port = arrayindex(regextract(_raw_log,"to\s*[a-zA-Z0-9-_]+\:\d+\.\d+\.\d+\.\d+\/\d+\s*\([^\/]+\/(\d+)\)"),0)
+    source_ip3 = if(action contains "Built inbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\soutside\:(\d+\.\d+\.\d+\.\d+)\/\d+\s*"),0),
+    action contains "Built outbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\sinside\:(\d+\.\d+\.\d+\.\d+)\/\d+"),0),
+    arrayindex(regextract(_raw_log ,"for\s[\w\-\_]+\:(\d+\.\d+\.\d+\.\d+)\/\d+\s+to"),0)),
+    source_port3 = if(action contains "Built inbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\soutside\:\s*\d+\.\d+\.\d+\.\d+\/(\d+)"),0),
+    action contains "Built outbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\sinside\:\s*\d+\.\d+\.\d+\.\d+\/(\d+)"),0),arrayindex(regextract(_raw_log ,"for\s[\w\-\_]+\:\d+\.\d+\.\d+\.\d+\/(\d+)\s+to"),0)),
+    dest_ip3 = if(action contains "Built inbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\sinside\:(\d+\.\d+\.\d+\.\d+)\/\d+\s"),0),action contains "Built outbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\soutside\:(\d+\.\d+\.\d+\.\d+)\/\d+\s"),0),
+    arrayindex(regextract(_raw_log ,"to\s[\w\-\_]+\:(\d+\.\d+\.\d+\.\d+)\/\d+"),0)),
+dest_port3 = if(action contains "Built inbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\sinside\:\d+\.\d+\.\d+\.\d+\/(\d+)\s"),0),
+    action contains "Built outbound",arrayindex(regextract(_raw_log ,"[for|to]{2,3}\soutside\:\d+\.\d+\.\d+\.\d+\/(\d+)\s"),0),
+    arrayindex(regextract(_raw_log ,"to\s[\w\-\_]+\:\d+\.\d+\.\d+\.\d+\/(\d+)"),0)),
+    source_interface3 = if(action contains "Built inbound","outside", action contains "Built outbound","inside",null),
+    dest_interface3 = if(action contains "Built inbound","inside", action contains "Built outbound","outside",null)
 //option 4
 //from <source_ip>/<source_port> to <interface>:<source_ip>/<source_port>
 | alter
@@ -116,26 +137,37 @@ alter
 // from laddr <source_ip> on interface <interface>> to <dest_ip>
 | alter source_ip13 = arrayindex(regextract(_raw_log ,"\s+from\s+laddr\s+(\d+\.\d+\.\d+\.\d+)\s+on"),0),
     dest_ip13 = arrayindex(regextract(_raw_log ,"\s+from\s+laddr\s+\d+\.\d+\.\d+\.\d+\s+on\s+\w+\s\w+\sto\s+(\d+\.\d+\.\d+\.\d+)"),0)
+// option 14
+// src <src_interface>:<src_ip>/<src_port> dst <dst_interface>:<dst_ip>/<dst_port>
+| alter source_ip14 = arrayindex(regextract(_raw_log ,"src\s[\w\-\_]+\:(\d+\.\d+\.\d+\.\d+)\/\d+"),0),
+    source_port14 = arrayindex(regextract(_raw_log ,"src\s[\w\-\_]+\:\d+\.\d+\.\d+\.\d+\/(\d+)"),0),
+    source_interface14 = arrayindex(regextract(_raw_log ,"src\s([\w\-\_]+)\:\d+\.\d+\.\d+\.\d+\/\d+"),0),
+    dest_ip14 = arrayindex(regextract(_raw_log ,"dst\s[\w\-\_]+\:(\d+\.\d+\.\d+\.\d+)\/\d+"),0),
+    dest_port14 = arrayindex(regextract(_raw_log ,"dst\s[\w\-\_]+\:\d+\.\d+\.\d+\.\d+\/(\d+)"),0),
+    dest_interface14 = arrayindex(regextract(_raw_log ,"dst\s([\w\-\_]+)\:\d+\.\d+\.\d+\.\d+\/\d+"),0)
 // merge the fields
 | alter
-    source_ip = coalesce(source_ip1, source_ip2, source_ip3, source_ip4, source_ip5, source_ip6, source_ip7, source_ip8, source_ip9, source_ip10, source_ip11, source_ip12, source_ip13),
-    source_port = coalesce(source_port1, source_port2, source_port3, source_port4, source_port5, source_port7),
-    source_interface = coalesce(source_interface2, source_interface3),
-    dest_ip = coalesce(dest_ip1, dest_ip2, dest_ip3, dest_ip5, dest_ip6, dest_ip7, dest_ip8, dest_ip9, dest_ip10, dest_ip11, dest_ip12, dest_ip13),
-    dest_port = coalesce(dest_port1, dest_port2, dest_port3, dest_port5, dest_port7),
-    dest_interface = coalesce(dest_interface2, dest_interface3, dest_interface5)
+    source_ip = coalesce(source_ip1, source_ip2, source_ip3, source_ip4, source_ip5, source_ip6, source_ip7, source_ip8, source_ip9, source_ip10, source_ip11, source_ip12, source_ip13,source_ip14),
+    source_port = coalesce(source_port1, source_port2, source_port3, source_port4, source_port5, source_port7, source_port14),
+    source_interface = coalesce(source_interface2, source_interface3,source_interface14),
+    dest_ip = coalesce(dest_ip1, dest_ip2, dest_ip3, dest_ip5, dest_ip6, dest_ip7, dest_ip8, dest_ip9, dest_ip10, dest_ip11, dest_ip12, dest_ip13,dest_ip14),
+    dest_port = coalesce(dest_port1, dest_port2, dest_port3, dest_port5, dest_port7,dest_port14),
+    dest_interface = coalesce(dest_interface2, dest_interface3, dest_interface5,dest_interface14)
 // ------------------------------ end source/dest ip/port/interface part ---------------------------------
+| alter xdm.network.ip_protocol = if(protocol="HOPOPT",XDM_CONST.IP_PROTOCOL_HOPOPT, protocol="ICMP",XDM_CONST.IP_PROTOCOL_ICMP, protocol="IGMP",XDM_CONST.IP_PROTOCOL_IGMP, protocol="GGP",XDM_CONST.IP_PROTOCOL_GGP, protocol="IP",XDM_CONST.IP_PROTOCOL_IP, protocol="ST",XDM_CONST.IP_PROTOCOL_ST, protocol="TCP",XDM_CONST.IP_PROTOCOL_TCP, protocol="CBT",XDM_CONST.IP_PROTOCOL_CBT, protocol="EGP",XDM_CONST.IP_PROTOCOL_EGP, protocol="IGP",XDM_CONST.IP_PROTOCOL_IGP, protocol="BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, protocol="NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, protocol="PUP",XDM_CONST.IP_PROTOCOL_PUP, protocol="ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, protocol="EMCON",XDM_CONST.IP_PROTOCOL_EMCON, protocol="XNET",XDM_CONST.IP_PROTOCOL_XNET, protocol="CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, protocol="UDP",XDM_CONST.IP_PROTOCOL_UDP, protocol="MUX",XDM_CONST.IP_PROTOCOL_MUX, protocol="DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, protocol="HMP",XDM_CONST.IP_PROTOCOL_HMP, protocol="PRM",XDM_CONST.IP_PROTOCOL_PRM, protocol="XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, protocol="TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, protocol="TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, protocol="LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, protocol="LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, protocol="RDP",XDM_CONST.IP_PROTOCOL_RDP, protocol="IRTP",XDM_CONST.IP_PROTOCOL_IRTP, protocol="ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, protocol="NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, protocol="MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, protocol="MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, protocol="DCCP",XDM_CONST.IP_PROTOCOL_DCCP, protocol="3PC",XDM_CONST.IP_PROTOCOL_3PC, protocol="IDPR",XDM_CONST.IP_PROTOCOL_IDPR, protocol="XTP",XDM_CONST.IP_PROTOCOL_XTP, protocol="DDP",XDM_CONST.IP_PROTOCOL_DDP, protocol="IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, protocol="TP",XDM_CONST.IP_PROTOCOL_TP, protocol="IL",XDM_CONST.IP_PROTOCOL_IL, protocol="IPV6",XDM_CONST.IP_PROTOCOL_IPV6, protocol="SDRP",XDM_CONST.IP_PROTOCOL_SDRP, protocol="IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, protocol="IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, protocol="IDRP",XDM_CONST.IP_PROTOCOL_IDRP, protocol="RSVP",XDM_CONST.IP_PROTOCOL_RSVP, protocol="GRE",XDM_CONST.IP_PROTOCOL_GRE, protocol="DSR",XDM_CONST.IP_PROTOCOL_DSR, protocol="BNA",XDM_CONST.IP_PROTOCOL_BNA, protocol="ESP",XDM_CONST.IP_PROTOCOL_ESP, protocol="AH",XDM_CONST.IP_PROTOCOL_AH, protocol="I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, protocol="SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, protocol="NARP",XDM_CONST.IP_PROTOCOL_NARP, protocol="MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, protocol="TLSP",XDM_CONST.IP_PROTOCOL_TLSP, protocol="SKIP",XDM_CONST.IP_PROTOCOL_SKIP, protocol="IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, protocol="IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, protocol="IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, protocol="CFTP",XDM_CONST.IP_PROTOCOL_CFTP, protocol="SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, protocol="KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, protocol="RVD",XDM_CONST.IP_PROTOCOL_RVD, protocol="IPPC",XDM_CONST.IP_PROTOCOL_IPPC, protocol="SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, protocol="VISA",XDM_CONST.IP_PROTOCOL_VISA, protocol="IPCV",XDM_CONST.IP_PROTOCOL_IPCV, protocol="CPNX",XDM_CONST.IP_PROTOCOL_CPNX, protocol="CPHB",XDM_CONST.IP_PROTOCOL_CPHB, protocol="WSN",XDM_CONST.IP_PROTOCOL_WSN, protocol="PVP",XDM_CONST.IP_PROTOCOL_PVP, protocol="BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, protocol="SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, protocol="WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, protocol="WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, protocol="ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, protocol="VMTP",XDM_CONST.IP_PROTOCOL_VMTP, protocol="SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, protocol="VINES",XDM_CONST.IP_PROTOCOL_VINES, protocol="TTP",XDM_CONST.IP_PROTOCOL_TTP, protocol="NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, protocol="DGP",XDM_CONST.IP_PROTOCOL_DGP, protocol="TCF",XDM_CONST.IP_PROTOCOL_TCF, protocol="EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, protocol="OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, protocol="SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, protocol="LARP",XDM_CONST.IP_PROTOCOL_LARP, protocol="MTP",XDM_CONST.IP_PROTOCOL_MTP, protocol="AX25",XDM_CONST.IP_PROTOCOL_AX25, protocol="IPIP",XDM_CONST.IP_PROTOCOL_IPIP, protocol="MICP",XDM_CONST.IP_PROTOCOL_MICP, protocol="SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, protocol="ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, protocol="ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, protocol="GMTP",XDM_CONST.IP_PROTOCOL_GMTP, protocol="IFMP",XDM_CONST.IP_PROTOCOL_IFMP, protocol="PNNI",XDM_CONST.IP_PROTOCOL_PNNI, protocol="PIM",XDM_CONST.IP_PROTOCOL_PIM, protocol="ARIS",XDM_CONST.IP_PROTOCOL_ARIS, protocol="SCPS",XDM_CONST.IP_PROTOCOL_SCPS, protocol="QNX",XDM_CONST.IP_PROTOCOL_QNX, protocol="AN",XDM_CONST.IP_PROTOCOL_AN, protocol="IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, protocol="COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, protocol="IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, protocol="VRRP",XDM_CONST.IP_PROTOCOL_VRRP, protocol="PGM",XDM_CONST.IP_PROTOCOL_PGM, protocol="L2TP",XDM_CONST.IP_PROTOCOL_L2TP, protocol="DDX",XDM_CONST.IP_PROTOCOL_DDX, protocol="IATP",XDM_CONST.IP_PROTOCOL_IATP, protocol="STP",XDM_CONST.IP_PROTOCOL_STP, protocol="SRP",XDM_CONST.IP_PROTOCOL_SRP, protocol="UTI",XDM_CONST.IP_PROTOCOL_UTI, protocol="SMP",XDM_CONST.IP_PROTOCOL_SMP, protocol="SM",XDM_CONST.IP_PROTOCOL_SM, protocol="PTP",XDM_CONST.IP_PROTOCOL_PTP, protocol="ISIS",XDM_CONST.IP_PROTOCOL_ISIS, protocol="FIRE",XDM_CONST.IP_PROTOCOL_FIRE, protocol="CRTP",XDM_CONST.IP_PROTOCOL_CRTP, protocol="CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, protocol="SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, protocol="IPLT",XDM_CONST.IP_PROTOCOL_IPLT, protocol="SPS",XDM_CONST.IP_PROTOCOL_SPS, protocol="PIPE",XDM_CONST.IP_PROTOCOL_PIPE, protocol="SCTP",XDM_CONST.IP_PROTOCOL_SCTP, protocol="FC",XDM_CONST.IP_PROTOCOL_FC, protocol="RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, protocol="MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, protocol="UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, protocol="MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP,to_string(protocol))
 | alter
     xdm.event.id = to_string(event_id),
     xdm.event.description = message,
     xdm.alert.severity = severity,
-    xdm.network.application_protocol = protocol,
     xdm.source.ipv4 = coalesce(source_ip,host_ip),
     xdm.source.port = to_number(source_port),
-    xdm.source.interface = source_interface,
-    xdm.source.sent_bytes = to_number(bytes),
+    xdm.source.zone = source_interface,
+    xdm.source.sent_bytes = to_number(sent_bytes ),
     xdm.target.ipv4 = dest_ip,
     xdm.target.port = to_number(dest_port),
-    xdm.target.interface = dest_interface,
+    xdm.target.zone = dest_interface,
     xdm.source.user.username = user_name,
-    xdm.event.operation = action;
+    xdm.event.outcome_reason = action,
+    xdm.event.duration = to_number(duration),
+    xdm.observer.name = hostname,
+    xdm.event.is_completed = if(action contains "Teardown",true, false);